cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4074
Views
0
Helpful
1
Replies

MPLS and DMVPN backup links. I need some help focusing!

nickhesson
Level 1
Level 1

Hello all,

I'm pretty new to the MPLS and DMVPN worlds.  But after much research and reading I'm still left with some basic "what should be done" or "what do most people do" type of questions.  So I need a little help in getting to the brass tax / action items I should be completing or looking at. 

The current network state is where we have over a hand full of remote small sites that are using site to site VPN via ASAs.  Also each site has remote access vpn's coming into each site.  The problem is of course, we are getting more and more sites online every year.  This network has no real design but connectivity.  But we do have most VPNs terminating at one site that is a VERY lacking "hub" type site.

Here were the goals:

  1. Get away from VPN's onto a brand new MPLS network.  (this is already in progress)
  2. Use the existing internet link for backup DMVPN.
  3. Relocate all remote access vpn terminations from each site to load balancing or Primary/backup Hub sites.

There are a lot more goals to complete, but these are the few that relate to the question(s). 

Here is the network design, the "very lacking" site is going to be are starting hub site (Op Hub2) until we get on main hub site at a colo up and running.  But Op (operations aka the lacking site) network and CoLo network will be the hub sites.  Each hub will be running ACS, ACE servers, and GSS server to load balance applications, and remote access VPNs.  Also each hub site will have access to both internet and MPLS.  The network between them will be the "control network" that will be home to the ACS, ACE, GSS, and all hosted apps. 

Each Remote site (Site X) will have access to both MPLS and internet, but internet link is going to be a re-purposed DMVPN link (I'm Hoping for).  And each Remote site's internet bound traffic will exit via the hub site.

The curve ball (at lease for me everytime I think I got all the answers) is all sites mandate that access goes through ASA's with IPS installed for both MPLS and internet.  Or might not be a curve ball at all. 

Logical EDF Operations.jpg

That's the overview.  This is what I need to clear my head on.  Some advice would be great.

  1. First the simple question, would you all run the ASA's in Transparent Mode?  As far as I can tell the AIP module can run in Transparent Mode.
    1. I'm confuse of how the transit network will look like.  I got both customer side MPLS and inside DMVPN, will/should that be in the same IP range?  Along with the outside ASA interface? 
  2. Another simple one, Would you termiate RA VPN's on the router's or ASA's at the Hub sites? 
  3. The ISP will only use static or BGP for the CE to PE links.  I'm thinking of using OSPF bewteen CE and ASA's (of course in routed mode), and redisrtubte via BGP onto the mpls.  Good? Bad? Dude thats ugly?
    1. Or should I use GRE tunnels and let OSPF manage the whole network?
  4. Should I be using IP SLA to manage the MPLS and failover DMVPN links?
    1. Or should I be looking at OSPF/ routing protocol to manage the links?  If so, will that mean two gre tunnels?

New MPLS DMVPN.jpg

Thanks for your time and help,

Nick

1 Reply 1

Marwan ALshawi
VIP Alumni
VIP Alumni

Hi Nick,

first of all this new design is more scalable than just using VPN remote access or site to site

with MPLS normally your hub sites and remote sites wil exchaning routing with the Teleco lets say BGP for example

and by advertising the networks that need to be access by remote sites with some BGP attributes manipulations such as AS path you can make both hubs work in a active standby

by using the DMVPN as a redundant path/link for remote sites you will be able to maintain the connectivity to the hub sites in the case of MPLS link is down

few things to keep in mind

- DMVPN has to be exchanged and terminated in routers ( ASA dose not support it )

- you can terminate the DMVPN mGRE tunnel in the forntend router and send the traffic to the ASA for inspection and filtering then

- use another routing protocol over the DMVPN, advertise same networks advertised over the MPLS routing however with higher metric for example you can use rip or ospf over the DMVPN with higher route AD and this will make sure the routes learned over MPLS link always preferred, once the links gose down the DMVPN path will be the only path to reach those networks

see the below links which might help you

this one i posted before which discuss your case in a simple way

https://supportforums.cisco.com/docs/DOC-8356

cisco link

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html

hope this help

if helpful rate

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: